🎓️ Vulnerable U | #030

Overcoming Security Obstructionism, Mark Cuban loses $870 to Crypto Scam, MGM still recovering from ransomware, and 38TB of Microsoft Data Leaked

Read Time: 7 minutes

Howdy friends!

30 weeks of Vulnerable U straight is a cool milestone! And we have a few thousand more of you this week than we did a few weeks ago. I’m glad to have you all aboard.

Back home in ATX, and just about jet lag cleared. Writing to you during a busy week, but in one where I did get to sneak out to one of my favorite music venues and see a favorite band of mine.

Me in my element

mattjay’s blog of the week. This week I look dive into why we’re our own worst enemy sometimes. Here’s a sneak peek:

When I think about Security Obstructionism, a term I love coined by Kelly Shortridge, I picture a set of tools and strategies in the security world that, ironically, seem more focused on slowing things down than actually bolstering security.

It’s like when organizations become that notorious “Department of No,” where every innovative idea hits a security roadblock. And what’s the main drive behind this? Surprisingly, it’s not always about achieving top-notch security for the company or its users.

Instead, it feels like it’s more about churning out security tasks and metrics to show “progress.” This, in a way, gives the security team a tighter grip on the organization, boosting their influence and standing.

But why? Why do we, time and again, fall into this trap, becoming the very “Department of No” we once vowed to avoid?

Let’s dive into the psychological underpinnings that drive us towards SecObs behaviors. From our innate need for control to the allure of power and status.

I believe introspection is the first step towards change. By recognizing and confronting these mental roadblocks, we can chart a path forward, one where we truly get out of our own way and champion genuine security advancements.

In this episode:

  • A clue into last week’s MGM Casino hacks

  • All Defcon videos are uploaded and free on their YouTube channel

  • Mark Cuban on how he lost $870,000 to crypto scam — ‘They must have been watching’

  • 38TB of data accidentally exposed by Microsoft AI researchers

  • Clorox warns of product shortages after cyberattack

  • Microsoft promises to act as Teams continues to get pummeled by phishing attacks

  • Cisco to Acquire Splunk for $28 Billion

  • GitHub Passkeys are generally available

  • T-Mobile users say other people’s account information is appearing in their app


🖊️ Something I wrote: How to find your personal/professional moat

🎧️ Something I heard: 4,500 of the Top 1 Million Websites Leaked Source Code, Secrets - Truffle Security reports

🎤 Something I said: Vulnerable U YouTube channel running through everything for the week in around 10 minutes.

🔖 Something I read: No Mercy, No Malic making a case for Google being broken up by anti-trust laws

Vulnerable News

There are some updates on the Vegas casino hacks from last week. It has taken 10 days for MGM to get their systems back online which is incredibly slow in today’s environment. I think I have an idea why…

A clue into their troubles

They also are reportedly losing $8.4 million per day that this incident goes on - Source

We talked a lot about the Vegas hacks last week, here is an update and a statement straight from the threat actors, ALPHV, themselves.

Here is a TL;DR on ALPHV’s statement:

  • The ALPHV group claims they infiltrated MGM's network and had access to their systems.

  • Contrary to reports, MGM shut down its systems in response to the group's presence, not due to a ransomware attack. The ransomware was deployed later when communication attempts failed.

  • MGM's hasty decisions, like shutting down their Okta Sync servers, resulted in them being locked out of their own systems while ALPHV maintained access.

  • The group claims to have launched ransomware attacks on over 100 of MGM's systems on September 11th.

  • ALPHV provided a link for MGM to download exfiltrated data, ensuring it was password-protected using hints from senior executive passwords.

  • The group hints at the possibility of possessing Personally Identifiable Information (PII) and may notify HaveIBeenPwned.com if no agreement with MGM is reached.

  • ALPHV criticizes MGM's insider trading behavior and accuses the company of greed and incompetence.

  • The group denies rumors about tampering with MGM's slot machines and challenges false claims made by media outlets.

  • ALPHV warns of further attacks if no agreement is reached with MGM.

  • The group emphasizes that any official updates will only be available on their blog and urges caution against believing unreliable sources.

This is why I prioritize hallway con in Vegas. Now I get to go through, not stand in line, and watch every talk that I missed. There are some real gems in here, what are some of your highlights from Vegas 2023?

I try to watch a few talks on topics I know virtually nothing about, and there are always a ton of those at DEFCON. Here’s a good one on spoofing emails from 2 million domains abusing Cloudflare and bypassing SPF & DMARC. (read more)

We’ve talked about stories similar to this in recent weeks. Crypto scams are aplenty, and this one ties in a fake app in the app store. We saw a fake Signal app last month, now a fake MetaMask.

Mark Cuban, the billionaire entrepreneur and owner of the Dallas Mavericks, recently lost approximately $870,000 to a crypto scam. The suspicious activities in his crypto wallet were initially detected by on-chain sleuths. Cuban mentioned that he had accessed MetaMask for the first time in months and suspects that he might have downloaded a compromised version of the application. (read more)

Old bugs are new again? Inadvertent public S3 buckets have plagued AWS forever. Now it’s Azure’s turn to climb the learning curve of pain.

Microsoft's AI research team inadvertently exposed 38 terabytes of private data while publishing open-source training data on GitHub. This exposed data included a backup of two employees' workstations, secrets, private keys, passwords, and over 30,000 internal Microsoft Teams messages. The root cause was a misconfigured Azure feature called SAS tokens, which was intended to share specific files but ended up sharing the entire storage account.

What I also want to know is why employees’ workstations had all that info on there. And, are they training AI models on Teams messages? (read more)

Clorox, yup, the bleach one, recently experienced a significant cyberattack that has disrupted its operations and is expected to impact its first-quarter earnings negatively.

We don’t know a lot about this one yet. The SEC filing and a short public statement said they took a bunch of their systems offline due to a breach. We have no timeline, details of the initial access point, or attack type. But they are still using manual ordering operations, which leads me to believe they haven’t fully recovered. They’re warning of slower order flows as it is all manual. I hope we hear more about this one since the recovery seems prolonged. (read more)

Teams has been a giant phishing target lately, and Microsoft is now vowing to do something about it.

A notable threat group, Storm-0324, has been sending malicious links via Teams messages, leveraging tools like TeamsPhisher. This group is also linked to distributing the JSSLoader malware associated with the notorious ransomware gang FIN7.

They are rolling out “new but unspecified” phishing defenses for Teams. Who knows what that means, but I’m glad they’re taking some more responsibility beyond user education for such a large phishing attack surface. (read more)

It was cheaper just to buy them than renew their license for the year.

This one is a bit of a head-scratcher for everyone. Splunk seemed to be cash flow heavy, and I didn’t see an acquisition coming here if it didn’t happen a decade ago. Maybe there is some inside financial baseball we aren’t aware of. There are also a lot newer SIEMs hitting the market looking to outflank the expensive incumbents like Splunk, so they might have been making progress. (read more)

I believe Passkeys are a major player in the future of authentication. A fierce weapon in the fight against phishing. They just need more adoption. Well GitHub is an early adopter and I’m grateful for it. To register one or more passkeys on your account, head to your account security settings and click “Add a passkey.” (read more)

T-Mobile seems to have more data breaches than any of the telecoms. This time it might just be a glitch, but the end result is the same. PII ends up in the hands of someone who isn’t supposed to have it. (read more)

In related but unconfirmed news, there are reports on breach forums and vx-underground that T-Mobile’s employee data has been breached and leaked.


Miscellaneous mattjay

Saw a lot of vendors touting their 100% MITRE coverage today, which is just fluff nonsense. Thanks to Huntress team for cutting through the noise:

I’m in this comic, and I don’t like it

“Nobody’s going to do your life for you. You have to do it yourself, whether you’re rich or poor, out of money or raking it in, the beneficiary of ridiculous fortune or terrible injustice. And you have to do it no matter what is true. No matter what is hard. No matter what unjust, sad, sucky things befall you. Self-pity is a dead-end road. You make the choice to drive down it. It’s up to you to decide to stay parked there or to turn around and drive out.”

Cheryl Strayed, Tiny Beautiful Things

Upcoming Appearances

I’ll be on the Shared Security Podcast next week, we recorded a few days ago with Tom and had a great chat.

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen